by Mike Stone, Global Head of Technology Transformation for Infrastructure, Government and Healthcare, KPMG International

When organisations consider cyber security, they usually focus most of their attention on technology, partly because that is what the market pushes them towards. In my view, however, 50% of cyber security is cultural, 30% process and just 20% technology.

Cyber security is an arms race and the boards of all organisations need to take it seriously. Frankly, if it isn’t one of the key items on a board’s risk register, that board is asleep at the wheel. But many of the right responses on culture and process are neither new, nor are they particular to cyber security.

On culture, the insider threat has long been a problem for organisational security. British government posters during the Second World War reminded citizens that ‘Careless talk costs lives’, with one 1940 Ministry of Information poster also having someone telling a friend ‘Don’t forget that walls have ears!’ in front of wallpaper patterned with Adolf Hitler’s face.

But ‘careless talk’ is now something that millions of people indulge in, assuming that they can share everything through social media. While some may be put off by recent coverage of how their data is used, many people are in the habit of sharing their personal and professional lives online by default.

To help tackle this, organisations need education – not just about cyber threats such as phishing, but more broadly about how you treat any form of information sharing or access. It might not matter if an employee posts a picture of themselves online, but it might matter very much if it includes a screen showing sensitive information or a sticky note with a password. Educating people on this is not just about cyber security but how you treat any form of information sharing or access.

Security professionals should consider culture too

The onus is also on security professionals to consider how employees actually behave rather than how they believe they should. According to the UK’s National Cyber Security Centre (NCSC) British citizens have an average of 22 online passwords, far more than most people can realistically remember. So they reuse them, using the same password for an average of four websites.[i] Many of these passwords will be weak ones, with research based on five million leaked in 2017 suggesting that the favorite choices remain ‘123456’ followed by ‘password’.[ii]

Security professionals can help with more user-friendly authentication processes. NCSC backs the use of password management software for individuals, which can generate strong passwords for each service – it is more likely that users can remember a single strong master password than two dozen. For organisations, a single sign-on service provides a similar option. NCSC also discourages organisations from forcing users to change passwords regularly, on the grounds that many people will use a similar weak one as the replacement.[iii]

There are also technology-focused approaches for spotting insider threats, such as behavior analysis, a useful technique that I will discuss in a future article.

Integrating IT security into IT operations

On process, it makes sense to integrate security into day-to-day IT operations. Some organisations run separate network operations centres (NOCs) and security operations centres (SOCs). I believe that having a separate NOC and SOC is not only inefficient insofar as it is doubling up in some ways, but it is also ineffective. It is much better to run a single NOC-SOC, both for efficiency but also because this makes security an integral part of the process of running an organisation’s network.

A combined NOC-SOC can be controversial and many people believe they should be totally separate. As a practitioner, I believe that it’s much more sensible to bring them together and this is increasingly happening in the market.

I’m a great believer that ‘operate’ and ‘defend’ are two sides of the same coin. Good cyber hygiene is no different from good IT operations hygiene – to take another example, business continuity and disaster recovery plans aren’t just a mark of good cyber security but of good IT operational practice.

IT leaders can either take a “defence in depth” approach, where they build an ecosystem that integrates products and layers from multiple vendors, or go with a single provider and accept that they are not going to have best of breed in every area.

Both approaches present benefits and risks, but I recommend defence in depth. In my opinion, there is a wide open market opportunity around the provision of a ‘security orchestration bus’ that would take the input from the various products and layers, and make that data available to the others through an API to allow true ‘plug and play’ across the enterprise and throughout the course of business.

None of this takes away from the fact that cyber security is a very real problem and I don’t want to take people’s eyes off the ball. But I do want people to concentrate on what actually is important – and that means considering culture and process at least as much as technology.

Mike Stone (mailto:Mike.Stone@kpmg.co.uk) is KPMG’s Global Head of Technology Transformation for Infrastructure, Government and Healthcare. He served as an officer in the British Army for 28 years and has worked as Chief Digital Information Officer for the UK Ministry of Defence as well as President of Service Design and Chief Information Officer for BT Global Services.

This is the second in a series by Mike Stone on cyber defence in depth.